--- - name: Set HostOnly DNS Address win_dns_client: adapter_names: '*' ipv4_addresses: - 192.168.38.102 - 8.8.8.8 log_path: C:\dns_log.txt - name: Install git win_chocolatey: name: git state: present - name: Check if existing DetectionLab directory win_stat: path: 'c:\DetectionLab' register: dir - name: Git clone Detectionlab win_shell: git clone https://github.com/clong/DetectionLab.git args: chdir: 'c:\' when: not dir.stat.exists - name: Copy scripts to c:\vagrant win_shell: Copy-Item -Recurse c:\DetectionLab\Vagrant c:\vagrant args: creates: c:\vagrant\Vagrantfile - name: Join the Domain win_shell: .\\provision.ps1 args: chdir: 'c:\vagrant\scripts' register: wef_join_domain changed_when: "'HasSucceeded : True' in wef_join_domain.stdout" failed_when: '"failed to join domain" in wef_join_domain.stderr' - debug: msg="{{ wef_join_domain.stdout_lines }}" - name: Reboot After Joining the Domain win_reboot: msg: "Joining the domain. Rebooting..." pre_reboot_delay: 15 reboot_timeout: 600 post_reboot_delay: 60 when: wef_join_domain.changed - name: Download Microsoft ATA win_get_url: url: http://download.microsoft.com/download/4/9/1/491394D1-3F28-4261-ABC6-C836A301290E/ATA1.9.iso dest: "C:\\Users\\vagrant\\AppData\\Local\\Temp\\Microsoft ATA 1.9.iso" timeout: 3600 - name: Check if DetectionLab Clear Event Logs has been done win_stat: path: 'c:\Windows\.detectionlab_clear_done' register: clearevt - block: - name: Clear Event Logs win_shell: "wevtutil el | Select-String -notmatch \"Microsoft-Windows-LiveId\" | Foreach-Object {wevtutil cl \"$_\"}" - name: Add marker for DetectionLab Clear Event win_file: path: 'c:\Windows\.detectionlab_clear_done' state: touch when: not clearevt.stat.exists - name: Downloading the Palantir WEF Configuration win_shell: ".\\download_palantir_wef.ps1" args: chdir: 'c:\vagrant\scripts' register: palantir_wef failed_when: "'Exception' in palantir_wef.stdout" changed_when: "' already exists. Moving On.' not in palantir_wef.stdout" - debug: msg="{{ palantir_wef.stdout_lines }}" - name: Installing WEF Subscriptions win_shell: ".\\install-wefsubscriptions.ps1" args: chdir: 'c:\vagrant\scripts' register: wef_subscriptions failed_when: "'Exception' in wef_subscriptions.stdout" changed_when: "'already installed, moving on...' not in wef_subscriptions.stdout" - debug: msg="{{ wef_subscriptions.stdout_lines }}" - name: Installing the Splunk Universal Forwarder win_shell: ".\\install-splunkuf.ps1" args: chdir: 'c:\vagrant\scripts' register: splunkuf failed_when: "'Exception' in splunkuf.stdout" changed_when: "' already installed. Moving on.' not in splunkuf.stdout" - debug: msg="{{ splunkuf.stdout_lines }}" - name: Install Splunk Windows TA win_shell: ".\\install-windows_ta.ps1" args: chdir: 'c:\vagrant\scripts' register: windowsta failed_when: "'Exception' in windowsta.stdout" changed_when: "' already installed. Moving on.' not in windowsta.stdout" - debug: msg="{{ windowsta.stdout_lines }}" - name: Installing the Powershell Log Transcription Share win_shell: ".\\configure-pslogstranscriptsshare.ps1" args: chdir: 'c:\vagrant\scripts' creates: c:\pslogs register: pstranscriptshare failed_when: "'Exception' in pstranscriptshare.stdout" - debug: msg="{{ pstranscriptshare.stdout_lines }}" when: pstranscriptshare.stdout_lines is defined - name: Installing the EVTX Event Samples win_shell: ".\\install-evtx-attack-samples.ps1" args: chdir: 'c:\vagrant\scripts' register: evtxeventsamples failed_when: "'Exception' in evtxeventsamples.stdout" changed_when: "' were already installed. Moving On.' not in evtxeventsamples.stdout" - debug: msg="{{ evtxeventsamples.stdout_lines }}" - name: Installing Microsoft Advanced Threat Analytics win_shell: ".\\install-microsoft-ata.ps1" args: chdir: 'c:\vagrant\scripts' register: windowsata failed_when: "'Exception' in windowsata.stdout" changed_when: "' was already installed. Moving On.' not in windowsata.stdout" - debug: msg="{{ windowsata.stdout_lines }}" - name: Configure WEF with raw Commands win_shell: "{{ item }}" with_items: - "wevtutil el | Select-String -notmatch \"Microsoft-Windows-LiveId\" | Foreach-Object {wevtutil cl \"$_\"}" - "Set-SmbServerConfiguration -AuditSmb1Access $true -Force"